SD-WAN helps secure hybrid networks (3000-site Bank)

S. Smith got one of those rare opportunities that most network engineers can only dream about — the chance to completely redesign his company’s legacy branch architecture.

All 3,000 branches belonging to the financial services company he works for had routed its wide area network (WAN) traffic over MPLS. An Internet connection was available as a backup, but only as a break-glass-in-case-of-emergency alternative if the MPLS link went down. While it met the company’s strict security requirements, it was expensive to maintain.

As Smith and his team worked on how they could make their WAN more efficient without increasing their reliance on MPLS, software-defined WAN (SD-WAN) caught their attention. This new technology enables enterprises to create hybrid networks that aggregate multiple access technologies, including commercial Internet services, and dynamically route traffic across the best one depending on real-time availability and performance, or other custom policies.

After running lab tests and a small pilot in their production network with startup Viptela’s SD-WAN platform, Smith and his team were sold. They are now in the process of rolling it out to all of their branches, deploying it with a mix of MPLS, broadband and wireless LTE connectivity at every location.

But for a company with six million customers, that’s a lot of sensitive data flying around the Internet. How can an IT team in banking, of all industries, be on board with that? Many enterprise network engineers eyeing hybrid WAN architectures are asking themselves the same question: It can’t be as safe as running everything on MPLS, right?

Although not as robust as a dedicated security appliance, SD-WAN platforms come with enough security features to finally make hybrid networks secure enough for widespread use, according to experts and early adopters. All of Smith’s WAN traffic goes through end-to-end encrypted tunnels — a feature he says was nonnegotiable when redesigning his branch architecture — and a third party validated the platform’s security in a penetration test.

“Broadband is kind of the Wild West, but we’re doing what we can to ensure the integrity of our data over that transport,” says Smith, an infrastructure engineer who spoke on the condition he and his company weren’t fully identified, due to security concerns.

“It’s a different way to think about it. MPLS was always deemed safer,” he adds. “No one was using encryption originally over that, and then they started putting encryption on it. Once you start doing that over broadband and everything else, you start thinking, ‘Well, I guess it doesn’t really matter what transport medium I’m actually using if I’m encrypted and tunneling end to end. It’s just bandwidth.'”

Most of the hype around SD-WAN has been about its ability to boost WAN performance, availability and cost savings by simplifying the way hybrid networks are deployed and managed. Without these platforms, engineering a hybrid WAN from scratch was just too difficult for most enterprises, according to Andrew Lerner, a research director at Gartner. Security wasn’t much of a consideration until SD-WAN made hybrid WANs practical.

“SD-WAN is an enabling technology that can actually expose the security problems associated with moving to a hybrid WAN,” Lerner says. “It enables you to do something that was very difficult to do before, which opens up the opportunity to address a security issue that was masked because it just wasn’t possible.”

SD-WAN vendors deliver their security features through an on-premises appliance or a cloud-based security service, often providing the latter via third parties like Websense or Zscaler. But unless you’re sending top-secret government files or high-value monetary transfers, that approach is probably good enough, Lerner says.